Category Archives: Electronic Health Records

CA Hospital Appeals Fine of $250,000 for Failure to Report a Laptop Theft

Lucile Packard Children’s Hospital (LPCH) at Stanford is appealing a California Department of Public Health (CDPH) penalty issued on April 23, 2010.  The fine of $250,000 was levied as a result of a late reporting of a security incident.  According to a September 9, 2010 press release issued by the hospital, the incident was related to “the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.”  The press release further states:

The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
 
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.   Theft charges have been filed against the former employee.

The LPCH data breach is generally considered the most common form of breach, namely one that involves a stolen or lost laptop.  No matter how much training you provide or how many times you emphasize there is zero tolerance for mishandling laptops, there will always be negligent or reckless conduct involving laptops.    On top of all the hard forensics and notification costs associated with such events, California hospitals also now have to deal with significant regulatory penalties for these mistakes.  Thankfully, incidents have been slightly decreasing due to better practices and there exist low-cost insurance solutions that pick up breach expenses/fines on those occasions when an incident is not avoided.

HITECH Public Data Breaches: Majority Caused by Theft

Last month, the Health Information Trust Alliance published an analysis of the 108 breaches reported to HHS from Sept. 23, 2009 (when reporting first started under the HITECH Act) to mid-July.  This review illustrates the major impact of theft on healthcare providers.   Of 108 total reported breaches, 68 were the result of theft.  Indeed, the only type of breach experienced by every healthcare industry sector was theft.   The most common thefts involved laptops and removable data drives and devices.   The majority of the data found on these devices remains unencrypted.  This lack of encryption is significant given that, as with the breach notification laws in most states, there is a notification safe harbor under the HITECH Act implementation regulations whenever the stolen data is encrypted. 

This review of HHS reported breaches highlights what risk managers have likely known for some time now, namely that it is important to better train employees regarding the use and maintenance of laptops/memory devices.  Although not nearly as “top of mind” as better training, risk managers are now understanding the value in deploying system-wide encryption solutions.  There is obviously much less likelihood of the breach turning into a major financial incident when there is no notification.  In other words, whether the added expense of encryption — both financial and time-driven — is worth it to a healthcare provider gets answered each day there is another publicly noticed breach.

AON Disclosure Impacts 22,000 Retirees

According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State.  The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed.  This is not the first data breach for Aon Consulting.  In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.

Moreover, it is not the first time a global broker has compromised client data.  On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers.  The lost data includes social security numbers and dates of birth.   And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients

These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach.  Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures.   Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when  managing data risk.  In other words, if a breach can hit these folks, it can hit just about anyone.

Healthcare Industry Hit Hard with Data Breaches

According to the ID Theft Resource Center, 97 of the 341 organizations that sustained a significant data breach in the first half of 2010 were in the healthcare industry.  By comparison, only 38 breaches were reported at banking and other financial institutions.   As shown by the breach sustained by BCBS Tennessee, the direct costs for breaches can exceed $10 million.  And, the repercussions for these breaches are not even limited to direct mitigation or liability expense.  For example, the California Department of Health has fined five hospitals a total of $675,000 for repeatedly failing to provide adequate security for patient data. 

Given the HITECH Act’s desire to increase usage of EHRs, healthcare providers are now scrambling with new software systems that leave them quite vulnerable until full tested.  Moreover, the public may be losing patience with healthcare providers given more and more breaches are now being reported.  This can only lead to an emboldened plaintiffs’ bar. 

What’s a healthcare provider to do? 

It can be argued that there is not much a healthcare provider can do to avoid a breach other than improve security and continue to train its staff.   After all, how can you stop an employee from going around security protocols and stealing data?   As for lost or stolen laptops, that will likely never abate — as illustrated by recent laptop thefts in Texas and Oregon.  Having a robust vendor management program in place is helpful but can never fully prevent rogue contractors from losing or stealing data.  In other words, the risk can be mitigated against (somewhat) but never fully removed so long as healthcare data remains valuable, healthcare providers stay in the healthcare business (and not data security business), and workers continue to make mistakes.  There is a risk management approach, however, that should be seriously evaluated by every participant in the healthcare industry. 

In the same manner medical malpractice insurance is standard in the healthcare industry, network security and privacy insurance should be seriously considered as a risk transfer tool.  Depending on the size, sophistication, and needs of an organization, the terms can be very affordable and flexible.  For example, a hospital with $30 million in revenue can now obtain a comprehensive policy that will safeguard against a breach impacting 250,000 patients for under $15,000.   The bad news is that most insurance professionals or brokers are unaware of the correct pricing or terms for such coverage.  Accordingly, they rely on wholesale brokers who are inundated with submissions and have a tough time qualifying leads (given they do not interact directly with  insureds) — which, in turn, prevents some organizations from getting the attention they deserve.  Thankfully, there are risk professionals out there with the right background to help cash-strapped healthcare organizations obtain the right protection at the right price.  At the very least, healthcare providers and plans should reach out to these risk professionals to obtain a “ballpark” quote. 

Armed with a ballpark quote,  organizations are at least able to determine whether it makes sense to pursue coverage.  Getting a ballpark quote requires minimal effort.  In order to obtain a ballpark, please simply provide your revenue.  We will get back to you within several days with a ballpark insurance quote for network security and privacy insurance.

Hospital Data Continues to be at Serious Risk with Third-Party Vendors

According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk.  And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain.  The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.

One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program.  Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts  actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data.  There are certainly enough incidents to justify the attention.  For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company.  It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.

Lost or stolen laptops used by the contractors of business associates litter the data breach landscape.  Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common.  The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest.  A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen.  Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted.  It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.

There are two basic risk management suggestions to be gleaned from these incidents.   Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet  subcontractors to ensure they also have proper security controls in place.   In fact, this is actually dictated by the recent statutory changes referenced above.  And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents.  Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches.   NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.

Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.

NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.

CT AG Successfully Uses HITECH Act to Settle HIPAA Breach

Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims.  According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents.  The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information. 

The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).  The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information.  For example, it creates the first federal breach notification law.   Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach.  See Sections 13402(a) and (b) of the HITECH Act.    

In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals.   It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office.   In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton

As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach.  According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted.   It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.

Colorado Casualty: Stolen Health Records Not a Covered Event

As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car.   The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer.   A review of the seven-page complaint provides no insight as to the terms of the policy in question. 

The claim is ultimately based on first-party costs incured by the University of Utah.   Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services. 

Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies.   Lesson learned:   It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.

White House Cyber Security Plan Focuses on EHR Management

According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.”    Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on  technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers. 

According to Schmidt, “[o]ne-person physician offices have to be part of this system.  They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.”  The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs).   This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.

Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation.  Indeed, some have argued that one of the goals of the Act, i.e.,  the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.  

To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles.   This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process.   As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address).   There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.